Advanced setup questions

Help Community Help
1

Hello everyone!

Currently I am running DHCP and DNS on opnSense. I like how it had integrated DHCP leases in Unbound but for about half a year now there have been issues with leases no longer registering in Unbound so DNS isn't working for anymore for DHCP clients. I recently learned there is no fix coming for ISC DHCP and the team is developing a solution with Dnsmasq. I trust they will do an excellent job but it will take a while and no one knows whether it will support the full featureset from the start (probably not). I've been putting this off for far too long and its frustrating to say the least.

As this isnt working for me anymore I have been manually creating dhcp fixed leases and dns overrides in Unbound After deploying a dozen new systems past week for a lab ... that pushed me over the edge and I decided I need something that actually works.

Before diving in and moving from opnsense to pi-hole, I would really like to know whether some of the more advanced things I rely on, are actually possible with pi-hole. I don't want to waste hours mucking around and find out things I need don't work.

Been reading here, searched the FAQ and forums and I asked a few LLM's about pi-holes' features. There's two things Im not sure about and I would like confirmation on whether they are possible, and how difficult it would be to set them up (opnsense makes these things a breeze). The only thing I had some difficulty with was setting up router advertisement daemons. While it works, I'm not sure how. This part is not my specialty ;-). I'm sure I'll manage that once more though ;-).

I have a /56 IPv6 subnet which I divide in /48's for different vlans. Opnsense has been handling DHCPv6 (alongside DHCP v4) and all hosts resolves to their IPv6 addresses too.

So I run multiple vlans, each with their own subnet and domain suffix. Each vlan has a DHCP v4 and v6 server active and I only allow specific traffic between them. DHCP registers in Unbound so fqdn's resolve.

Is pi-hole able to serve DHCP v4 and v6 for multiple subnets on separate vlans and register their addresses in DNS?

Is the management of setting up fixed leases and dns overrides similarly easy to manage as in opnsense?

Thanks!

2

One of the pi-hole developers can totally say I'm wrong here.

I don't believe you can host multiple DHCP servers/scopes on a single pi-hole. It's one server with an IP range and that's it. pi-hole v5 does not have a robust DHCPv6 (SLAAC + RA) I am unsure about v6.

Considering the complexity of your network, I would really go with something like Windows DHCP and let pi-hole handle the DNS side of things. You should have no issues with this configuration.

3

You cannot replace OPNsense by Pi-hole.

OPNsense is a firewall, acting as a gateway for your network, in order to filter all traffic flowing through it.

Pi-hole is a filtering DNS forwarder. It only ever sees DNS traffic, so e.g. it can't do any IP based blocking.
Optionally, it can take over DHCP duties.

What you could consider is to switch DNS and DHCP duties over to Pi-hole.
Firewall and routing duties (including VLAN configuration and management) would remain with OPNsense and your router.

For IPv4, yes, absolutely, if you are willing to familiarise yourself with dnsmasq configuration options.
With regards to IPv6, acquiring a public IPv6 prefix and issue respective Router advertisements would stay with your router, so you want to investigate whether and how dnsmasq would match your IPv6 requirements.

Pi-hole's embedded DNS/DHCP server pihole-FTL is a tailored fork of dnsmasq, so its DHCP/DHCPv6 server can do everything that's possible with dnsmasq .

While VLAN management would remain the job of your router, Pi-hole can serve as a DHCP server for multiple VLANs, providing your router would allow inter-VLAN communication, or your Pi-hole would be attached to each of your VLANs subnets, e.g. via corresponding virtual network interfaces.
You would then be required to write the respective dnsmasq configuration files yourself.

Are you positive that's indeed happening?

Most modern OSs would prefer NDP to learn their network details via RAs and self-assign IPv6 addresses via SLAAC, avoiding acquiring DHCPv6 leases (and thus registering their names), and there are even some OSs that do not support DHCPv6 at all, Android being the prime example here.

1 Like
4

:open_mouth:

:wink:

Thanks for the suggestion. Respectfully, Windows will never happen. I'm sure it works fine but its not my cup of tea.

Thanks for your elaborate answer. Appreciate it.

And yes, I know and that's not the plan. Reading back I realize thats what I said but DHCP and DNS components were on my mind, and that's what I meant to say.

That sounds good!

I wouldnt setup communication between the vlans, but I can setup vlan's via bridges on Linux for pihole. it does sound like it would be easier to run Pi-hole directly on the OS and not via Docker in this case. I suppose I could setup macvlans but I suspect its more of a hassle than a straight setup on the OS directly.

Learning dnsmasq config is not a problem. I don't mind having to spend time on the setup as long as its rewarding in terms of ease of use and functionality wise it does what its supposed to do.

Quite sure but I could be wrong of course. I can dig (@)unbound_ip fqdn AAAA and get an answer. To me that means it works like I think it works.

Well, most modern OS's have a choice to use DHCPv6 or auto configure :wink:. Android being the exception as you say :stuck_out_tongue: .

Honestly, and jokes aside, I really don't know how IPv6 works. At least not very well. I kind of feel like the old rusty physicist that just can't wrap his head around quantum mechanics, and tries to poke a hole in the box to watch the cat. This is the real issue here of course. I find it overly complex and my brain thinks in IPv4 subnets and vlans and tries to apply that knowledge to IPv6. IPv4 is easy to understand for me. Subnetting, routing, firewalling, etc its straightforward and comes naturally. With IPv6 auto configure (as via track interface) there didn't seem to be any logic behind a host acquiring an IPv6 in subnet A and one in subnet B. I'm not asking you to explain this to me but it shows you where I am coming from. I worked around this by configuring my own DHCPv6 ranges and apply the kind of logic that I am familiar with using IPv4. Which, I know, is wrong, but it works.

I need to think about this some more and decide whether this whole IPv6 thing is worth the time and whether I actually need it. Perhaps its something I can ignore for now, and figure out when I actually run into something that doesn't work the way I want or need.

Perhaps I can start the setup for IPv4. What do you think, dedicate a machine for it, or run it in Docker?

5

Decided to replace OPNsense with a Mikrotik router. I am in the process of setting it up.

I am using a script to create DNS entries for DHCP leases. The script triggers on lease requests and runs on a schedule to clean up after itself.

I setup DNS server, currently resolving local leases, static entries and forwards to ISP DNS servers for the rest.

Once the setup is more of less complete, I will configure to forward to Pi-Hole for filtering. This will also use a script that will prevent local domains from being sent to pihole and the internet. RouterOS doesn't natively support split horizon setup but this will effectively be the same.